DragonForce is not just another ransomware brand – it’s a destabilizing force trying to reshape the ransomware landscape. Counter Threat Unit (CTU) researchers are actively tracking the evolution of the threat posed by the group.
Enter the dragon
DragonForce is involved in high-impact attacks targeting both traditional IT infrastructure and virtualized environments (e.g., VMware ESXi), with a strong emphasis on credential theft, Active Directory abuse, and data exfiltration. In March 2025, it launched efforts to claim dominance in the ransomware ecosystem by introducing a more flexible affiliate model and targeting other ransomware groups.
A series of attacks on UK retailers that began in late April brought this group into sharper focus as third-party reports linked these attacks to DragonForce and the GOLD HARVEST (also known as Scattered Spider) threat group. GOLD HARVEST frequently leverages social engineering, abuse of remote monitoring and management (RMM) tools, and multi-factor authentication (MFA) bypass techniques to gain access, steal bulk data, and sometimes deploy ransomware.
When DragonForce emerged in August 2023, it offered a traditional RaaS scheme. On March 19, 2025, the group announced a rebrand as a ‘cartel’ to expand its reach, hoping to emulate the success of LockBit and other mature ransomware-as-a-service (RaaS) groups. In practice, it isn’t a cartel operation but an offering that gives affiliates the flexibility to leverage DragonForce’s infrastructure and ransomware tools while operating under their own brands (see Figure 1).
Figure 1: Advertisement for the DragonForce cartel
DragonForce didn’t just revamp its business model; it began attacking rival operations. The ‘cartel’ post coincided with defacements of leak sites operated by the BlackLock and Mamona ransomware groups. The defacements appeared to have been conducted by DragonForce, as seen in the side-by-side screen captures in Figure 2.
Figure 2: Defaced Mamona (left) and BlackLock (right) leak sites
In April, a post on the RansomHub leak site appeared to promote the DragonForce cartel, as seen in Figure 3. A DragonForce post on the RAMP underground forum also seemed to indicate that the groups were working together, but the postscript suggested that RansomHub might not support the collaboration (see Figure 4). RansomHub is one of the most prolific groups to emerge following the LockBit disruption and ALPHV (also known as BlackCat) demise in 2024.
Figure 3: DragonForce cartel mention on RansomHub leak site
Figure 4: DragonForce post suggesting a collaboration with RansomHub
Shortly after these posts, the RansomHub leak site went offline. The homepage displayed the message “RansomHub R.I.P 03/03/2025.” The “collaboration” between DragonForce and RansomHub appears to have been more of a hostile takeover by DragonForce. The ‘koley’ persona, who is known to be a prominent RansomHub member, posted a defacement of the DragonForce homepage on RAMP (see Figure 5), along with the message “@dragonforce guess you have traitors…” Additional posts by koley accused DragonForce of working with law enforcement, attacking rivals, and telling lies.
Figure 5: Defacement of the DragonForce leak site shared by RansomHub member ‘koley’
As of this publication, the DragonForce leak site is back online after an extended period of down time. During that period, the homepage displayed a message stating that it would be up again soon, and a similar message appears on the RansomBay leak site (see Figure 6).
Figure 6: DragonForce and RansomBay leak site homepages as of May 2, 2025
In May 2025, UK retailer Marks and Spencer was the subject of a significant cyberattack that was publicly attributed to GOLD HARVEST (referred to in the reporting as Scattered Spider), although this attribution has not been officially confirmed. This group is a loosely organized cybercriminal collective made up of individual threat actors who collaborate through a shared network of underground forums and encrypted chat channels used by a community of like-minded individuals known as “The Com.” The threat actors in this community coordinate malicious services to conduct attacks, exchange tools, and share tactics within this decentralized ecosystem. GOLD HARVEST reportedly deployed the DragonForce ransomware in this attack.
GOLD HARVEST has been known to operate as a ransomware affiliate, deploying ALPHV ransomware in attacks on MGM Resorts in 2023 and reportedly using RansomHub in attacks throughout 2024. The threat actors utilize a wide range of tactics, techniques, and procedures (TTPs) in their attacks but are known for their effective use of social engineering. They often gain access to organizations by targeting IT help desks. Public attribution of the Marks and Spencer attack may be predicated on the belief that the attack started with social engineering, perhaps targeting help desk staff.
Social engineering is a universal threat across the cyber landscape and is not unique to GOLD HARVEST, although the group has been adept at using this approach via email and telephone calls. There is increasing interplay between social engineering and stolen credentials. GOLD HARVEST is known to employ commodity infostealers such as Vidar and Raccoon, which collect browser-saved passwords, cookies, and session tokens. These credentials can enable initial access directly or support more convincing social engineering attempts by allowing attackers to reference internal systems or mimic legitimate employee behavior.
DragonForce has claimed two attacks impacting UK retailers. These attacks highlight the need for vigilance by companies in the retail sector. The internal warfare among ransomware groups is disruptive to their own operations but doesn’t reduce risk to organizations. In fact, it may lead to more erratic, opportunistic attacks as groups scramble to assert dominance and monetize stolen data in new ways. Organizations must therefore revisit their incident response, threat intelligence, and third-party risk management strategies to remain resilient in an increasingly chaotic threat environment.
Tips for defenders
While technical controls remain essential for detecting and mitigating GOLD HARVEST and DragonForce activity, they must be reinforced by strong internal processes and consistent human vigilance. These attacks reinforce that technical compromises often begin with social compromise. Conversations are frequently the initial point of compromise, not exploits. Organizations must reduce their exposure to social engineering by combining technical controls with procedural discipline. CTU researchers recommend that organizations take the following actions to mitigate the risks of these attacks:
- Deploy browser isolation and password managers to prevent harvesting of saved credentials.
- Implement endpoint detection for infostealer activity, including credential and session cookie theft.
- Utilize an identity monitoring solution that uses dark web sources and threat intel feeds to continuously monitor for compromised credentials.
- Enforce strict identity verification protocols for IT support and help desk interactions.
- Establish clear escalation paths to empower front-line staff to resist unusual or urgent requests until they can be verified.
- Conduct regular tabletop exercises that simulate social engineering and insider threat scenarios.
